Brendan, I am having the linux engineer run that when thye get back, but I am almost 100% positive that it is in UTC. All servers/appliances are set to UTC

Same for Cribl?

I think what I am going to do is just use index time. It is not ideal, but to keep up with all the 1000's of desktops is not sustainable.

The latest release of Cribl supports S2S v4 which would accept the OS time when the UF connects to Cribl.

Does that help at least for the Splunk side of things?

hmmm, okay I will check this out

I applied that change, and it looks like the events are still coming in mixed up. For example it is 13:33 my time but events are bing index -5 hours

`date`

What is the time showing where the forwarder is running?

So this is what is really odd. Here is an _internal log and this is behaving as expected

And what is the version of the forwarder?

ohh, I see in the internal log, it has -0500